How to use Netflow for Increased Visibility Into Your Network Part 1

Today, I wanted to discuss how to use netflow for increased network visibility. We have already looked at how to design a network that allows increased visibility, now we need to leverage those design strengths. Netflow is a protocol designed by Cisco to collect and store IP traffic information. The information is used by major ISPs to facilitate billing and QOS monitoring. Additionally, and more importantly to us, it can be used to search for traffic anomalies and to identify security incidents.

Netflow is available from a variety of layer 3 devices, but we are going to talk specifically about capturing netflow data from Cisco devices. First we need to set up the device to do a netflow export (here is a great post on ingress or egress netflow analysis) we are going to assume that we want both ingress and egress enabled.

Here are the commands to configure a Cisco router for both ingress and egress flows:

The above assumes that you have enough knowledge of your Cisco device to determine things that need personalized (collector address, interfaces etc…). Now that we have the device exporting flow data, we will look at examples of analysis (we will address setting up a collector in the next post, this was just to give an idea of how to use netflow).
When you first get netflow up and running somewhere on your network, you should use whatever tool you decide to use for analysis to start building a profile of what is normal behavior on your network. I like open source tools so I prefer to use the OSU Flow Tools package for collection and analysis complemented by the Flow Extract package. To build a baseline of what your machines might do, build basic versions of workstations, webservers, database servers etc… build as much as you can and profile each one individually. Watch what happens to the flows as you do things like browse a web page, initiate a database connection from a webserver the more things you do and watch the more you will be able to spot anomalous traffic. These are just meant as things to think about, I will write up some posts documenting the installation of the collectors, storage and analysis systems using open source tools or you can jump ahead and do it yourself and start playing.